Two settlements recently announced by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) reinforce the agency’s emphasis on promoting thorough risk analysis to help prevent disclosure of electronic protected health information (ePHI).  In recent weeks, OCR announced separate settlements with business associate Comstar, LLC (Comstar) and provider Deer Oaks-The Behavioral Health Solution (Deer Oaks) agreeing to relatively modest penalties, while requiring corrective action that improves risk analysis, planning and workforce training.

Comstar:

• In March 2022, Comstar experienced a ransomware attack that compromised the ePHI of 585,621 individuals.
• The breach went undetected for seven days, during which attackers encrypted Comstar’s network servers.
• HHS determined that Comstar failed to conduct a thorough risk analysis as required under the HIPAA Security Rule (45 C.F.R. § 164.308(a)(1)(ii)(A)).
• Comstar agreed to implement a corrective action plan (CAP) that OCR will monitor for two years and pay $75,000 to HHS.
• The CAP required Comstar to:
  • Conduct a comprehensive and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI that Comstar holds;
  • Develop a risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis;
  • Review and revise, as necessary, its written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules; and
  • Train its workforce members who have access to PHI on its HIPAA policies and procedures.

Deer Oaks:

• In May 2023, Deer Oaks discovered the exposure of ePHI belonging to approximately 35 individuals, which the provider attributed to a coding error in a pilot program for an online patient portal. The OCR investigation determined the exposure dated back to at least December 2021 and continued until May 19, 2023.
• OCR opened an investigation in May 2023, which was expanded in July 2024 after Deer Oaks experienced a subsequent breach of its network resulting from a compromised account. A threat actor claimed to have exfiltrated data and demanded payment to prevent posting the ePHI on the dark web, impacting an estimated 170,000+ individuals.
• OCR found that Deer Oaks disclosed PHI in a manner not required or permitted by the Privacy Rule and failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic protected health information that it holds as required by the HIPAA Security Rule.
• Deer Oaks agreed to implement a corrective action plan that OCR will monitor for two years and paid $225,000 to OCR.
• The terms of the CAP required Deer Oaks to:
  • Annually review and update, as necessary, its risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI;
  •  Develop and implement a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
  • Develop, maintain and revise, as necessary, certain written policies and procedures to comply with the HIPAA Rules; and
  • Provide annual training for each workforce member who has access to PHI.

Regulatory Implications: These enforcement actions underscore OCR’s continued focus on cybersecurity planning, preparedness and risk analysis obligations under HIPAA. While monetary penalties remain an important tool in OCR’s regulatory enforcement schema, one could argue that the penalties in these two cases were relatively modest in comparison to the number of individuals impacted by the breaches. The terms of the CAP signal the importance OCR places on four important principles related to HIPAA cybersecurity:

1. Understand your risks. Covered entities must conduct thorough risk analysis on an ongoing basis to identify potential risks to ePHI.
2. Plan accordingly. Both business associates and providers must go beyond simply recognizing risks. They should proactively develop and implement strategies to address and mitigate them.
3. Update policies regularly. Written policies and procedures must reflect HIPAA requirements for proper security of ePHI.
4. Train your team. The best planning and policy won’t matter much if the employees who execute them aren’t receiving regular training. It’s important to make sure those who handle ePHI know and follow the rules.

For assistance reviewing your HIPAA compliance program or vendor risk management strategy, please contact Dinsmore attorneys Jennifer Mitchell or Herb Stapleton.